background preloader

Security

Facebook Twitter

XSS Filter Evasion Cheat Sheet. Last revision (mm/dd/yy): 07/4/2018 This cheat sheet lists a series of XSS attacks that can be used to bypass certain XSS defensive filters.

XSS Filter Evasion Cheat Sheet

Please note that input filtering is an incomplete defense for XSS which these tests can be used to illustrate. Basic XSS Test Without Filter Evasion This is a normal XSS JavaScript injection, and most likely to get caught but I suggest trying it first (the quotes are not required in any modern browser so they are omitted here): XSS Locator (Polygot) The following is a "polygot test XSS payload. " javascript:/*--></title></style></textarea></script></xmp><svg/onload='+/"/+/onmouseover=1/+/[*/[]/+alert(1)//'> Image XSS using the JavaScript directive Image XSS using the JavaScript directive (IE7.0 doesn't support the JavaScript directive in context of an image, but it does in other contexts, but the following show the principles that would work in other tags as well: No quotes and no semicolon Case insensitive XSS attack vector HTML entities Malformed A tags <!

<! Prevent cross site scripting with jsoup. Problem You want to allow untrusted users to supply HTML for output on your website (e.g. as comment submission).

Prevent cross site scripting with jsoup

You need to clean this HTML to avoid cross-site scripting (XSS) attacks. Solution Use the jsoup HTML Cleaner with a configuration specified by a Whitelist. String unsafe = "<p><a href=' onclick='stealCookies()'>Link</a></p>";String safe = Jsoup.clean(unsafe, Whitelist.basic());// now: <p><a href=" rel="nofollow">Link</a></p> Discussion A cross-site scripting attack against your site can really ruin your day, not to mention your users'.

A better solution may be to use a rich text WYSIWYG editor (like CKEditor or TinyMCE). The jsoup whitelist sanitizer works by parsing the input HTML (in a safe, sand-boxed environment), and then iterating through the parse tree and only allowing known-safe tags and attributes (and values) through into the cleaned output. It does not use regular expressions, which are inappropriate for this task. See also. What's New in Apache Shiro 1.2. Apache Shiro 1.2.0 was released on Tuesday, January 24 2012 with a lot of new features and improvements that most of the community will find useful.

What's New in Apache Shiro 1.2

Thanks to everyone who contributed to this release; it was a significant undertaking and reflects a big step forward for the project. In this article, we’ll break the improvements up into four categories - Tools, Core, Web, and Support Modules - and cover them below. Tools Previously Apache Shiro has been exclusively an embedded application framework. The 1.2 retains this design goal, but it adds a very small convenience command-line cryptographic hashing program. Command-Line Hasher The new shiro-tools-hasher-1.2.0-cli.jar file has been provided which is an executable jar program. > java –jar shiro-tools-hasher-1.2.0-cli.jar This command will print out a full list of instructions and options. Password Hashing (the –p/–password flag): > java –jar shiro-tools-hasher-1.2.0-cli.jar -p Password to hash: Password to hash (confirm): Core PasswordService.